/sbin/iptables -L -vChain INPUT (policy DROP 2004 packets, 109K bytes) pkts

1. /sbin/iptables -L -v
2. Chain INPUT (policy DROP 2004 packets, 109K bytes)
3. pkts bytes target prot opt in out source destination
4. 2169 107K LOG tcp -- any any anywhere anywhere state INVALID LOG level warning prefix `FIREWALL:INVALID '
5. 360K 37M LOG all -- any any anywhere anywhere LOG level warning prefix `FIREWALL:INPUT '
6. 0 0 ACCEPT all -- lo any anywhere anywhere
7. 360K 37M SERVICES all -- any any anywhere anywhere
8. 192K 12M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
9. 0 0 tcp -- any any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
10. 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 8 TTL Match name: SSH side: source
11. 93 4092 DROP all -- any any anywhere anywhere state INVALID
12. 0 0 DROP all -- any any 10.0.0.0/8 anywhere
13. 0 0 DROP all -- any any link-local/16 anywhere
14. 0 0 DROP all -- any any 172.16.0.0/12 anywhere
15. 0 0 DROP all -- any any loopback/8 anywhere
16. 0 0 DROP all -- any any base-address.mcast.net/4 anywhere
17. 0 0 DROP all -- any any anywhere base-address.mcast.net/4
18. 0 0 DROP all -- any any 240.0.0.0/5 anywhere
19. 0 0 DROP all -- any any anywhere 240.0.0.0/5
20. 0 0 DROP all -- any any 0.0.0.0/8 anywhere
21. 0 0 DROP all -- any any anywhere 0.0.0.0/8
22. 0 0 DROP all -- any any anywhere 239.255.255.0/24
23. 0 0 DROP all -- any any anywhere 255.255.255.255
24. 0 0 DROP icmp -- any any anywhere anywhere icmp address-mask-request
25. 0 0 DROP icmp -- any any anywhere anywhere icmp timestamp-request
26. 16 820 ACCEPT icmp -- any any anywhere anywhere icmp any limit: avg 1/sec burst 5
27. 0 0 DROP all -- any any 41.191.226.74 anywhere
28. 0 0 DROP all -- any any 41.191.226.74 anywhere
29. 0 0 DROP all -- any any host138-23-static.57-88-b.business.telecomitalia.it anywhere
30. 0 0 DROP all -- any any 222.186.8.1 anywhere
31. 0 0 DROP all -- any any 211.151.97.90 anywhere
32. 0 0 DROP all -- any any 211.151.97.90 anywhere
33. 0 0 DROP all -- any any 194-70-73-109.rackcentre.redstation.net.uk anywhere
34. 0 0 DROP all -- any any 81.209.165.73 anywhere
35.  
36. Chain FORWARD (policy DROP 0 packets, 0 bytes)
37. pkts bytes target prot opt in out source destination
38. 0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
39. 0 0 DROP all -- any any anywhere anywhere state INVALID
40.  
41. Chain OUTPUT (policy ACCEPT 323K packets, 146M bytes)
42. pkts bytes target prot opt in out source destination
43. 1920 77624 DROP all -- any any anywhere anywhere state INVALID
44.  
45. Chain SERVICES (1 references)
46. pkts bytes target prot opt in out source destination
47. 93714 14M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
48. 32000 2768K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
49. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
50. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:10000
51. 0 0 ACCEPT tcp -- any any den.teliax.net anywhere tcp dpt:5060
52. 65 49684 ACCEPT udp -- any any den.teliax.net anywhere udp dpt:5060
53. 40552 8110K ACCEPT udp -- any any den.teliax.net anywhere udp dpts:10000:20000
54.  
55.  
56.  
57. *************rules******************
58.  
59. *filter
60.  
61. #policies
62.  
63. -P OUTPUT ACCEPT
64. -P INPUT DROP
65. -P FORWARD DROP
66. -N SERVICES
67.  
68. #logging
69. -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
70. -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID "
71.  
72. #allowed inputs
73. -A INPUT --in-interface lo -j ACCEPT
74. -A INPUT -j SERVICES
75.  
76. #VoIP alternative, implement slowly
77. #-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
78. #-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as --ctstate INVALID."
79.  
80. #allowed responses
81. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
82.  
83. #mtu fix
84. -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
85.  
86. #attack prevention
87. -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
88. -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
89. -A INPUT -m state --state INVALID -j DROP
90. -A FORWARD -m state --state INVALID -j DROP
91. -A OUTPUT -m state --state INVALID -j DROP
92. -A INPUT -s 10.0.0.0/8 -j DROP
93. -A INPUT -s 169.254.0.0/16 -j DROP
94. -A INPUT -s 172.16.0.0/12 -j DROP
95. -A INPUT -s 127.0.0.0/8 -j DROP
96. -A INPUT -s 224.0.0.0/4 -j DROP
97. -A INPUT -d 224.0.0.0/4 -j DROP
98. -A INPUT -s 240.0.0.0/5 -j DROP
99. -A INPUT -d 240.0.0.0/5 -j DROP
100. -A INPUT -s 0.0.0.0/8 -j DROP
101. -A INPUT -d 0.0.0.0/8 -j DROP
102. -A INPUT -d 239.255.255.0/24 -j DROP
103. -A INPUT -d 255.255.255.255 -j DROP
104. -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
105. -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
106. -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
107. #-A INPUT -m state --state INVALID -j DROP
108. #-A FORWARD -m state --state INVALID -j DROP
109. #-A OUTPUT -m state --state INVALID -j DROP
110. #-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
111. #-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
112. #-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
113. #-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
114. #-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
115. #-A INPUT -m recent --name portscan --remove
116. #-A FORWARD -m recent --name portscan --remove
117. #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
118. #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
119. #-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
120. #-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
121.  
122. #block by ip
123. -A INPUT -s 41.191.226.74 -j DROP
124. -A INPUT -s 41.191.226.74 -j DROP
125. -A INPUT -s 88.57.23.138 -j DROP
126. -A INPUT -s 222.186.8.1 -j DROP
127. -A INPUT -s 211.151.97.90 -j DROP
128. -A INPUT -s 211.151.97.90 -j DROP
129. -A INPUT -s 109.73.70.194 -j DROP
130. -A INPUT -s 81.209.165.73 -j DROP
131.  
132. #allow services
133. -A SERVICES -p tcp --dport 80 -j ACCEPT
134. -A SERVICES -p tcp --dport 22 -j ACCEPT
135. -A SERVICES -p tcp --dport 21 -j ACCEPT
136. -A SERVICES -p tcp --dport 10000 -j ACCEPT
137. -A SERVICES -p tcp --dport 5060 -s 63.211.239.14 -j ACCEPT
138. -A SERVICES -p udp --dport 5060 -s 63.211.239.14 -j ACCEPT
139. -A SERVICES -p udp --dport 10000:20000 -s 63.211.239.14 -j ACCEPT
140. COMMIT